How to Edit the KubeletConfiguration document to set serverTLSBootstrap: true in this doc

[freshgeek]

1. in this doc ： https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#before-you-begin 。

If you have already created the cluster you must adapt it by doing the following:

Find and edit the kubelet-config-1.31 ConfigMap in the kube-system namespace. In that ConfigMap, the kubelet key has a [KubeletConfiguration](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/) document as its value. Edit the KubeletConfiguration document to set serverTLSBootstrap: true.
On each node, add the serverTLSBootstrap: true field in /var/lib/kubelet/config.yaml and restart the kubelet with systemctl restart kubelet
The field serverTLSBootstrap: true will enable the bootstrap of kubelet serving certificates by requesting them from the certificates.k8s.io API. One known limitation is that the CSRs (Certificate Signing Requests) for these certificates cannot be automatically approved by the default signer in the kube-controller-manager - [kubernetes.io/kubelet-serving](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers). This will require action from the user or a third party controller.

but ,in my cluster , kube-config yaml is :

apiVersion: v1
kind: ConfigMap
metadata:
  name: kubelet-config
  annotations:
    kubeadm.kubernetes.io/component-config.hash: sha256:aab154d5dbad39ee2ec2c8baebf46711be8a27a314a7f4ecaa58839760e4b820
    #  key: string
  creationTimestamp: '2024-07-05T03:46:11Z'
  labels:
    {}
    #  key: string
  namespace: kube-system
  resourceVersion: '237'
  uid: ffc39eba-752a-439a-ad9a-0e5ace13d00c
  fields:
    - kubelet-config
    - 1
    - 64d
data:
  kubelet: |+
    apiVersion: kubelet.config.k8s.io/v1beta1
    authentication:
      anonymous:
        enabled: false
      webhook:
        cacheTTL: 0s
        enabled: true
      x509:
        clientCAFile: /etc/kubernetes/pki/ca.crt
    authorization:
      mode: Webhook
      webhook:
        cacheAuthorizedTTL: 0s
        cacheUnauthorizedTTL: 0s
    cgroupDriver: systemd
    clusterDNS:
    - 10.119.0.10
    clusterDomain: cluster.local
    containerRuntimeEndpoint: ""
    cpuManagerReconcilePeriod: 0s
    evictionPressureTransitionPeriod: 0s
    fileCheckFrequency: 0s
    healthzBindAddress: 127.0.0.1
    healthzPort: 10248
    httpCheckFrequency: 0s
    imageMinimumGCAge: 0s
    kind: KubeletConfiguration
    logging:
      flushFrequency: 0
      options:
        json:
          infoBufferSize: "0"
      verbosity: 0
    memorySwap: {}
    nodeStatusReportFrequency: 0s
    nodeStatusUpdateFrequency: 0s
    rotateCertificates: true
    runtimeRequestTimeout: 0s
    shutdownGracePeriod: 0s
    shutdownGracePeriodCriticalPods: 0s
    staticPodPath: /etc/kubernetes/manifests
    streamingConnectionIdleTimeout: 0s
    syncFrequency: 0s
    volumeStatsAggPeriod: 0s
  #  key: string
__clone: true
#binaryData:  key: string
#immutable: boolean

the value is : kind: KubeletConfiguration

THIS is mean parse as json ?

    kind:
      serverTLSBootstrap: true

[freshgeek]

im confuse for fix kubernetes-sigs/metrics-server#196

[freshgeek]

im compare to config key and doc , the yaml txt maybe is :

    kind: KubeletConfiguration
serverTLSBootstrap: true

[neolit123]

our docs for reconf of clusters:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure/#updating-the-kubeletconfiguration

kubeletconfig docs
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/

the correct syntax is:

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serverTLSBootstrap: true
...

/support

[github-actions]

Hello, @freshgeek 🤖 👋

You seem to have troubles using Kubernetes and kubeadm.
Note that our issue trackers should not be used for providing support to users.
There are special channels for that purpose.

Please see:

• https://github.com/kubernetes/kubeadm#support